SINGLE FAULT CONDITION, short circuit and open circuit of any component (IEC 60601-1 3.1)

DENich

Involved In Discussions
Hello,

Clause 8.1 b) dash #3 states that SIGNLE FAULT CONDITION includes:

- short circuit and open circuit of any component other than a COMPONENT WITH HIGH-INTEGRITY CHARACTERISTICS that is connected in parallel with insulation, with an AIR CLEARANCE or with a CREEPAGE DISTANCE unless shorting can be shown not to be a failure mode for the component.


I find this wording pretty vague. Perhaps, it is because I am nonnative English speaker.

I have doubts concerning what components should be a subject of a short circuit test and an open circuit test in case of SINGLE FAULT CONDITION:

1.
Should be a subject of the tests:
any component that is connected in parallel with insulation, with an AIR CLEARANCE or with a CREEPAGE DISTANCE unless shorting can be shown not to be a failure mode for the component.

Should not be a subject of the tests:
any COMPONENT WITH HIGH-INTEGRITY CHARACTERISTICS

2.
Should be a subject of the tests:
any component unless shorting can be shown not to be a failure mode for the component
Should not be a subject of the tests:
any COMPONENT WITH HIGH-INTEGRITY CHARACTERISTICS that is connected in parallel with insulation, with an AIR CLEARANCE or with a CREEPAGE DISTANCE


Moreover. As far as I understand, any component is connected in parallel with insulation, with an AIR CLEARANCE or with a CREEPAGE DISTANCE. So, why do bother to mention these condition in the first place? I can not come up with an idea of any device where electronic components just soaring in space. They all are affixed to something.

I would be very grateful if somebody is able to clarify these issues to me!
 

Peter Selvey

Leader
Super Moderator
Although the standard does tend to harp on about the single fault condition, from the fundamentals of risk management it is really the protection that should be the focus of any assessment. If you have something dangerous, be it electrical, pressure, heat, radiation you will generally build a protective barrier(s) around the dangerous parts to prevent access or leakage. These barriers then becomes the focus of the assessment. If you have a part that bridges a protective barrier (such as a capacitor, resistor, optocoupler, transformer) it can be considered to fail unless it is proven to be high integrity part, i.e. never fail (such as optocouplers rated for 4kV, or Y2 capacitors). That's what they are talking about.

As long as the design has protection that is reliable and effective, you don't need to worry about faulting parts inside the circuit. You only need to worry about any parts that might defeat the protective barrier or feature.
 

DENich

Involved In Discussions
Grand thank you for your reply, Mr. Selvey!
Your rationale is completely plain and logical. I agree with you one hundred percent.

Nevertheless, I believe, standards is a field of knowledge where wordings should be as sharp and precise as in jurisprudence. You are speaking about the "barriers" which are meant to protect living beings from dangerous parts of a device. Basically, it is a definition of MOP. But the definition of SFC above mentions some indeterminate insulation, an AIR CLEARANCE and a CREEPAGE DISTANCE, which is not the same as MOP.

Such inconsistencies between common logic and the wordings in the standard make me feel depressed :).

In practice, I see the sequence of actions like this:

1. Determine components a fault of which can lead to unacceptable RISK. In accordance with cl.4.9 "A COMPONENT WITH HIGH-INTEGRITY CHARACTERISTICS shall be used when a fault in a particular component can generate an unacceptable RISK." Therefore, a list of "to be" COMPONENTs WITH HIGH-INTEGRITY CHARACTERISTICS should be made (test laboratories call it "Critical parts list").

2. Make sure that the components from the list have approvals of compliance with relevant safety standards or evaluate them in a design by applying requirements/tests of IEC 60601 series.

3. Assess whether short circuit or open circuit of each component from the list in that particular design can lead to unacceptable RISK. Take measures if so. The assessment can be executed by deploying series of tests or by using analytic methods.
Components which are bridging MOP(s) should not be assessed in the particular design, and they either should have of compliance with relevant safety standards or should be tested in accordance with IEC 60601 separately, for example, transformers.

Do you agree with me?
 

Peter Selvey

Leader
Super Moderator
Yeah, look I think it's historical.

Standards probably started out being purely prescriptive for the protective features, and even today they are largely focused on the protection design even if they don't say directly.

For example, when we do an overload test on a transformer, we base the test around the design of the protective components (fuse, thermal cut-out, PTC etc) and completely ignore the actual faults that could occur in the real secondary. This is an entirely reasonable approach, because single fault analysis would involve a massive effort (literally billions of permutations to analyse), is likely to be utterly unreliable (as is well established in literature), and would need to be re-evaluated with every change in the secondary. So instead, we base the tests on the limits of the protective device. That way, it does not matter what happens in the secondary, we can be sure that the transformer will stay below the temperature limits. Simple, neat, reliable, low cost and it works. It's used throughout the IEC 60601 for shock, basic fire, pressure vessels, enriched oxygen, mechanical; and the principle is widely used in virtually any industry dealing with high risk scenarios. Boeing paid the price for briefly forgetting this principle with their 737MAX design - relying on a single sensor and failing to realise what could happen if that sensor fails.

However ... at some point in electrical safety we started to see more complex designs, such as switching power supplies. These did not fully fit into the neat protective structures that already existed. So my guess is that the standards added the "single fault condition" as back up for these special cases.

The thing is, there are lots of problems with using the single fault condition as a requirement. I could write a short book on it. In reality, a fault condition is just one of several tools we can use to verify that protection operates as expected, and it's part of a much bigger process in validating the protection is broadly effective has been implemented as planned. A "Pass" result from fault test is just a tiny part of a much bigger story.

As such, the single fault condition "requirement" should be literally interpreted by designers as a requirement to implement some form of effective protection. Having a test lab perform a particular fault condition, get a pass result, and state it is safe is really a big fudge.

In terms of basic electrical safety, this fudge is basically OK because (a) most of the standard is anyhow very prescriptive for the protection (dielectric strength, spacings, thickness, sealed joints, certified components etc.) and (b) if the hazard is serious, most designers instinctively know it needs a protection based approach. So it's rare that a manufacturer would rely entirely on a single fault analysis for a high risk situation for the basic stuff like shock from mains, fire and so on.

However, in the context of functional safety for high risk devices, the single fault condition is frequently interpreted as a "requirement". This in turn leads to designs that have a patchwork of risk controls targeted at selected faults, such as watch dog timers for CPU lock up, or sensor short/open detection. This patchwork approach is far from "state of the art" for high risk systems, but is often found in medical devices. I'm 100% sure that IEC 60601 could be challenged in Europe as being insufficient to support the essential requirements (or whatever they are called these days :)).

My rant for the day!!!
 

DENich

Involved In Discussions
What can I say... Amen to that! :))

Unfortunately, the more I dig to 60601 the stronger feeling I have that designing a safe device and getting a certificate of compliance to 60601 are not exactly the same tasks.

I do not say that 60601 is utterly useless. It does draw attention to very important aspects of safe designing. But at the same time it leaves a lot of significant issues aside and even those mentioned are pretty uncertain and confusing sometimes. I would even say that getting the certificate is to a large extent just a marketing trick. Which is sad.

Thanks a ton for your opinion! Now I know that I am not alone having such thoughts:))
 

Apex Hao

Starting to get Involved
Hi Peter, as usual I enjoy reading your insights on product safety.

Did you manage to get a book or an article written on single fault analysis? Or is there any thread that cover it comprehensively? I would love to read it.
 

Tidge

Trusted Information Resource
I enjoyed the rant!

However, in the context of functional safety for high risk devices, the single fault condition is frequently interpreted as a "requirement". This in turn leads to designs that have a patchwork of risk controls targeted at selected faults, such as watch dog timers for CPU lock up, or sensor short/open detection. This patchwork approach is far from "state of the art" for high risk systems, but is often found in medical devices. I'm 100% sure that IEC 60601 could be challenged in Europe as being insufficient to support the essential requirements (or whatever they are called these days :)).

I highlighted context because my own feeling is that the current (2020) theory of risk controls in medical devices feels to me as if context is usually ignored, or if it is considered it will be hidden within something like an RCOA. I'm not quite ready to challenge all of 60601, but I definitely feel that at least one collateral standard (60601-1-8, 'alarm systems') could be more tolerant of context. I have a sense that 'context' has become something of a trigger word.

Specific to 60601-1-8, the patchwork approach to risk controls described above can lead to implementing alarm signals with audible components that (within the context for a primary use case) if implemented as prescribed in the collateral standard would be distracting... both in terms of attention and necessary action. The 60601-1 standard allows some wiggle room on 'requirements' from the POV of risk analysis, but no NRTL wants to be bothered to understand a greater risk analysis when they can stay within a collateral (or particular) standard and write "FAIL".

14971 doesn't exactly help with this issue, as sometimes a line of risk analysis is made 'acceptable' by implementing an indicator of some type... but the line between an indicator and an alarm signal can be fuzzy, especially if the risk analysis moves from unacceptable to acceptable because of the indicator/signal.
 

Peter Selvey

Leader
Super Moderator
I'm not sure if I have the latest edition of 60601-1-8, but last time I dug into this issue I found that having an indicator as a risk control triggered the applicability of the standard but inside the standard most of the requirements are not applicable for run of the mill non-urgent indications like "change the filter".

So, you end up preparing a long report that only has one or two items that are applicable, and they are also fairly innocuous requirements at that. There are no requirements (again from memory) that enforce annoying large visual indications, audible and so on. In that sense, it does not affect the design or risk management (since an indication to change the filter is ultimately a risk control), but it does affect the reporting.

This could be a pain in the NRTL context as they charge large fees for each additional standard. But I would check the wording in the standard carefully if you feel it is enforcing any unreasonable, distracting alarm indications.
 

Tidge

Trusted Information Resource
Specific to my circumstances and the NRTL/Alarms discussion: one of the 'fuzzy lines' that I've encountered is that (in my professional opinion) sometimes things get called 'alarms' (by design teams and/or marketing teams) that would appear (to a lay person) to meet the definition of an 'alarm' but from a 'first principles' approach (starting with 14971 and 60601-1) would not be called alarms. I'm not referring to the distinction between technological and physiological alarm condition and means of indicating each. A problem I have encountered is that once a device is marketed with a (layman's) 'alarm system' it becomes practically impossible for a ME designer to avoid 60601-1-8 at a NRTL. I suppose it would be easier if the IFU/manuals never called out such 'alarms' but this is a very slippery slope to navigate.

Now for some discussion about designing an ME device for which 60601-1-8 is perfectly applicable: 60601-1-8's 'alarm condition priority' grid is a really powerful tool, but it certain contexts (e.g. within some use cases) the priority of any given alarm should be deprioritized. This deprioritization I refer to is based on clinical feedback, published articles, accepted 'state of the art' practices.

The issue I have is that 60601-1-8 doesn't explicitly allow an individual piece of equipment's alarm system to behave as if a specific alarm condition has more than one priority (i.e. sometimes one condition should be a lower priority) and thus requiring different behavior/permissions... a standalone ME device's alarm system essentially has to be designed (and tested) against its own use case. I personally feel that 14971 and 60601-1 are written to allow the wiggle room to implement the 'most correct' design choice... but what the NRTL sees is a 'FAIL' followed by 'wiggling'... even if you made this obvious to them prior to the test!
 

Peter Selvey

Leader
Super Moderator
This is off topic? Anyway ...

Use of the term "alarm" (or not) in the IFU or other places is irrelevant. The decision point is whether the indication is used as a risk control measure in the risk management file. So one manufacturer might throw around the word "alarm" carelessly for everything, while another might take extreme care to avoid the word "alarm"; both cases it does not matter, only what is in the RMF.

As for priorities etc, I agree there is a lot of flexibility in 601-1-8, I think they support the "less is more" approach. If the NRTL decides that more alarms are better, make sure they put it in writing, with appropriate references and having had it reviewed internally, and take it to their accreditation body in the form of a complaint.
 
Top Bottom